Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.

Car cybersecurity: What do automakers really think?

132 Aufrufe

Veröffentlicht am

Ponemon Institute Survey; Taking a look into Car Cybersecurity, the advantages and the roadblocks

Veröffentlicht in: Technologie
  • Als Erste(r) kommentieren

Car cybersecurity: What do automakers really think?

  1. 1. 1 Gene Carter Director of Product Management Security Innovation Peter Samson Vice President and General Manager Security Innovation Larry Ponemon Chairman Ponemon Institute Walter Capitani Product Manager Rogue Wave Software Car cybersecurity: What do the automakers really think?
  2. 2. 2 First, a few things… • The webcast recording link and the slides will be sent to all registrants tomorrow • Please type all questions in the Questions dialogue box to the right • The Ponemon white paper can be downloaded here: http://web.securityinnovation.com/car-security-what-automakers-think
  3. 3. 3 The Current State of Automotive Cyber Security Peter Samson Vice President and General Manager Security Innovation
  4. 4. 4 Source: IHS Automotive Connected Car Market
  5. 5. 5 $152 billion by 2020 $141 billion by 2020 $132 billion by 2020 $128 billion by 2020 $98 billion by 2018 Economic Value
  6. 6. 6 1.7 Million Lines of Code 6.5M Million Lines of Code 100 Million Lines of Code 100 ECUs 5 Networks 2 miles of cable 10+ Operating Systems 50% of total cost The Complexity Challenge
  7. 7. 7 What’s the Risk? Extortion Theft Terrorism Revenge Mischief Insurance fraud Corporate espionage Stalking and spying Feature activation Identity theft Counterfeiting
  8. 8. 8 Where’s the Risk? External Internal Bluetooth Internet V2X Key fob LiDAR TPMS Wi-Fi Tail light Diagnostics OBDII USB SD card Aux input DVD CAN Bus Touchscreen Ethernet Mobile phone
  9. 9. 9 Security Updates Segmentation and Isolation Evidence Capture Third Party Collaboration Secure By Design Early Pressure
  10. 10. 10 Collaborations
  11. 11. 11 Government Shows Interest – February 2015
  12. 12. 12 Government Asks Questions – May 2015
  13. 13. 13 Government Asks Questions – May 2015 1. Who in your organization is responsible for evaluating, testing, and monitoring potential cyber vulnerabilities? 2. How does your organization incorporate cybersecurity best practices into your products? 3. What policies, procedures, and practices do you employ to evaluate potential cyber vulnerabilities? 4. Who in your organization is responsible for addressing potential vulnerabilities in the products of your suppliers 5. How do you work with suppliers to minimize potential vulnerabilities? 6. How do you track or evaluate potential vulnerabilities once a product is in the field? 7. How do you, or how do you intend to, remediate vulnerabilities after a vehicle has entered the market? 8. Do you intend to use over - the -air (OTA) updates to upgrade vehicle systems or technology? 9. To what extent do existing vehicle systems and technologies utilize public key infrastructure 10. What steps have you taken to evaluate how connected elements interact with vehicle safety systems? 11. Because vehicles interact with technologies outside the vehicle, what steps are you taking to evaluate potential vulnerabilities? 12. How do you interact with the security research community to identify potential threats and/or vulnerabilities? 13. What are the greatest challenges to cybersecurity in the industry? 14. How is the automobile industry working with the government to address the challenge of cybersecurity
  14. 14. 14 Cybersecurity Standards Hacking protection Data security Hacking mitigation Privacy standards Transparency Consumer choice Marketing prohibition Cyber dashboard A window sticker showing how well the car protects the security and privacy of the owner. Government Plans Action – July 2015
  15. 15. 15 Government Piles It On – October 2015 Anti hacking provision Unauthorized access to ECU or critical system illegal, $100,000 fine per instance. No exceptions. Formation of Cyber Security Advisory Panel Standardized and controlled security best practices. Up to $15M fines for non-compliance
  16. 16. 16 Hardly New News 2003 ESCAR Founded 2008 First CAN Bus Exploits 2010 Univ of WA and UCSD – Seminal demonstrations First known “hack for real” – Texas Auto Center 2013 DARPA funds research on vulnerabilities List of 20 most hackable cars 2015 Enters public consciousness “60 Minutes” Dongle hacks (Progressive, Zubie, Metromile …) BMW hack OnStar hack and weaponization Jeep Cherokee stunt ...
  17. 17. 17 Application Security Maturity Model ToolsandTechnology People and Processes Low Low High High Panic and Scramble Pit of Despair Security as a Core Business Practice Typical Progression Curve https://securityinnovation.com/services/application-security-maturity.html
  18. 18. 18 So Let’s Ask the Automakers  What do you know?  How much do you care?  What have you learned from the past?  Are you optimistic?  Are you ready?
  19. 19. 19 The Survey Results Larry Ponemon Chairman Ponemon Institute
  20. 20. 20 Methods Survey response Number % Total sampling frame 8,891 100% Total returns 595 6.7% Rejected or screened surveys 71 0.8% Final sample 524 5.9%
  21. 21. 21 Current role within the organization 0% 2% 4% 6% 8% 10% 12% 14% 16% 18% 20% CORPORATE IT IT SECURITY SUPERVISOR OF SOFTWARE DEVELOPMENT MANAGER OF SOFTWARE DEVELOPMENT SOFTWARE DESIGNER SOFTWARE PROGRAMMER SOFTWARE ENGINEER SOFTWARE DEVELOPER 6% 7% 9% 10% 14% 17% 18% 20%
  22. 22. 22 Company’s role in the automotive industry 45% 31% 19% 5% Manufacturer OEM Tier One Tier Two Tier Three
  23. 23. 23 Involvement in application development 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% HIGH LEVEL OF INVOLVEMENT MODERATE LEVEL OF INVOLVEMENT LOW LEVEL OF INVOLVEMENT 36% 46% 18%
  24. 24. 24 Familiarity with company programs for securing software for automobiles 0% 10% 20% 30% 40% 50% 60% VERY FAMILIAR FAMILIAR SOMEWHAT FAMILIAR 29% 51% 20%
  25. 25. 25 Current position within the organization 4% 18% 17% 17% 38% 5% 1% Executive/VP Director Manager Supervisor Technician/associate Consultant Other
  26. 26. 26 Less than 100, 5% 100 to 500, 13% 501 to 1,000, 12% 1,001 to 5,000, 11% 5,001 to 10,000, 10% 10,001 to 25,000, 15% 25,001 to 75,000, 15% More than 75,000, 19% # of software developers and global headcount I am an independent software developer , 10% Less than 100, 13% 101 to 1,000, 16%1,001 to 5,000, 25% 5,001 to 10,000, 28% More than 10,000, 7% Number of Software Developers Global Headcount
  27. 27. 27 Location of employees 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% UNITED STATES CANADA EUROPE ASIA-PACIFIC MIDDLE EAST & AFRICA LATIN AMERICA (INCLUDING MEXICO) 100% 68% 70% 58% 41% 31%
  28. 28. 28 Hackers are actively targeting automobiles 0% 5% 10% 15% 20% 25% 30% 35% STRONGLY AGREE AGREE UNSURE DISAGREE STRONGLY DISAGREE 15% 29% 31% 18% 7%
  29. 29. 29 How difficult is it to secure applications in automobiles? 0% 5% 10% 15% 20% 25% 30% 35% 40% VERY DIFFICULT DIFFICULT SOMEWHAT DIFFICULT NOT DIFFICULT EASY 36% 33% 21% 9% 2%
  30. 30. 30 Is a major overhaul of the automobile’s technology architecture needed to make it more secure? Yes 48% No 40% Unsure 12%
  31. 31. 31 Is it possible to build nearly hack proof automobile? 0% 5% 10% 15% 20% 25% 30% 35% 40% 45% 50% YES NO UNSURE 19% 47% 34%
  32. 32. 32 Why isn’t it possible to build an automobile that is nearly hack proof? 0% 5% 10% 15% 20% 25% OTHER LACK OF EXPERTISE ADDITIONAL COSTS TO SECURE SOFTWARE NOT CONSIDERED IMPORTANT TAKES TOO MUCH TIME PRESSURE TO COMPLETE DEVELOPMENT 3% 10% 19% 22% 22% 24%
  33. 33. 33 Is security being integrated into the entire software development lifecycle or is it an add-on? 0% 10% 20% 30% 40% 50% 60% TOTALLY INTEGRATED PARTIALLY INTEGRATED ADDED ON UNSURE 14% 29% 51% 7%
  34. 34. 34 Yes, 43% No, 42% Unsure, 15% Should white hat hackers be subject to the Digital Millennium Copyright Act (DMCA)?
  35. 35. 35 Should white hat hackers be encouraged to test the security of automotive software? Yes, 22% No, 54% Unsure, 24%
  36. 36. 36 My company’s automotive software development process includes activities for security requirements 0% 5% 10% 15% 20% 25% 30% STRONGLY AGREE AGREE UNSURE DISAGREE STRONGLY DISAGREE 15% 27% 29% 21% 8%
  37. 37. 37 What the results mean in the real world of automotive Walter Capitani Product Manager Rogue Wave Software
  38. 38. 38 Enabling technologies are not being provided to developers so they can build security into their processes Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained Automakers are not as knowledgeable about secure software development as other industries 1 2 3 The top 3 key findings
  39. 39. 39 Did you know? 60-70 % of vehicle recalls are due to software glitches Electronic components make up over 50% of the total manufacturing cost of a car
  40. 40. 40 Security must be built-in! Enabling technologies are not being provided to developers so they can build security into their processes1 22% believe “security takes too much time” 22% say “security is not considered important” More than 50% say responsibility for security responsibility– after the fact 22% report “security is not important”
  41. 41. 41 – Millions of lines of code, dozens of processors, each with multiple cores – Multiple systems interconnected – Some designed years ago with little or no security in mind – New code, COTS, suppliers, legacy, open source – Different platforms, people, and processes – Vulnerabilities and bugs will last for years – Not an easy update/upgrade path – Automation will be critical – Certification is inevitable More and more software running inside your car More and more software running inside your car Multiple sources of software being integrated Software running your car could remain that way for many years This requires a very significant security and functional verification process Why build security into the development process?
  42. 42. 42 Build-only analysis in dev process
  43. 43. 43 50% of defects introduced here Build analysis / test Find security defects when they are introduced Cost of defects
  44. 44. 44 Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained2 Developers need your help! Over 50% indicate that their development processes do not include any activity supporting security requirements Only 41% agree that secure software is a priority for their company 69% believe that securing applications is difficult
  45. 45. 45 How do hackers get in? Incoming data is well- formed Data breaches are the result of one flawed assumption Cross-site scripting Most breaches result from input trust issues OWASP Top 10 identifies common vulnerabilities from over 500,000 issues being researched today SQL injection Unvalidated input Heartbleed: buffer overrun CWE is a community-driven identification of weaknesses CWE-20: Improper Input Validation
  46. 46. 46 Developers don’t know security (80% failed security knowledge survey) Visibility into applications Development teams need: Reports and audits of the code Threat modeling Penetration testing Mitigate security vulnerabilities
  47. 47. 47 Automakers are not as knowledgeable about secure software development as other industries3 Only 28% of automakers believe that they are as knowledgeable as other industries with respect to security 47% don’t believe that making an automobile “nearly hack proof” is even possible Only 18% indicated that their biggest concern was non- compliance with industry standards The time is now!
  48. 48. 48 • IT organizations have been dealing with cybersecurity for a long time • Many failures, but they learned from them • Tools, policies, and processes have already been developed • Automakers need to catch up – fast! Security domain knowledge is lacking
  49. 49. 49 Move fast: Adopt and adapt Many existing cybersecurity practices can be put to use in automotive applications Adopt existing tools Find weaknesses and prove compliance Mitigate security risks up front Adapt them to the automotive environment
  50. 50. 50 MISRA: Maybe I should reuse another…
  51. 51. 51 Enabling technologies are not being provided to developers so they can build security into their processes Developers want – but do not have—the skills necessary to combat software security threats and they do not feel they are properly trained Automakers are not as knowledgeable about secure software development as other industries 1 2 3 Conclusion
  52. 52. 52 Q & A Peter Samson Larry Ponemon Walter Capitani

×